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Executive Summary 

In December 2013, in the midst of the busiest shopping season of the year. Target announced that it had 
been breached by attackers who had gotten away with 70M customers' Personal Identifiable Information 
(PIP). A few days later. Target admitted that 40M credit cards were stolen. The financial damages to Target 
currently stand at $148M, and according to analyst forecasts are estimated to reach $1B^ 

Although many details regarding the attack had surfaced and made it to the general audience, some aspects 
of the attack still remained in the dark. Specifically, how did the attackers reach into the heart of Targef s 
network, the POS (Point-of-Sale) system from their initial penetration point? Second, how were 70M users' 
"Personally Identifiable Information" (PN) exposed? 

We set to find the answers to these guestions. By carefully analyzing the publiciy available reports on the 
Target breach, we were able to build out the entire Target attack story. 

While this story largely follows the general "APT kill chain" attack model which is relevant to nearly any 
industry targeted by advanced attackers, the Target attack introduces some additional nuances, specifically 
relevant to retail and other credit card processing targets. It suggests that a verticai focused cyber 
intelligence sharing system, such as R-CISC^ (Retail Cyber Intelligence Sharing Center) and R-ISAC (Retail 
Information Sharing and Analysis Center) can be highiy beneficial. 

In this report, we breakdown the Target attack to 11 detailed steps, beginning with the initial credential theft 
of Targefs HVAC contractor to the theft of PN and credit cards. Particular attention is given to those steps, 
unknown until now, such as how the attackers were able to propagate within the network. Throughout this 
report we highiight pertinent insights into the Tactics, Technigues and Procedures (TTPs^) of the attackers. 
Finally, we provide recommendations on the needed security measures for mitigating similar advanced 
targeted attacks. 

Key Findings: 



TTPs - Attackers Tactics, Technigues and 
Procedures (TTPs) inciuded general IT tools, 
protocois and procedures. Seldom did they 
use hacker-specific tools and malware. 



PCI 



PCI compliance actually improved the 
security posture of Target. Target's compliance with 
PCI not only minimized the scope of the breach, 
but also forced the attackers to slow down as they 
re-assessed and changed their course of attack. 



PtH 



' Attackers used "Pass-the-Hash" (PtH) 
technigues to propagate through Target's network. 



PN 



Attackers had gained access to 70M 
Personal Identifiable Information (Pil) by 
exploiting a SQL server database. 



AD 



Active Directory (AD) related activity 
was paramount to the attackers' success. 



1 http://en.wikipedia.org/wiki/PGrsonally_identifiablG_information 

2 http://www.nytimGS.com/2014/06/09/businGSs/cybGrattack-insurancG-a-challGngG-for-businGss.html 

3 http://www.rila.org/rcisc/homG/PagGs/dGfault.aspx 

4 http://www.uscg.mil/forcGCom/TTP/dGfault.asp 
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Mapping the Knowns and the Unknowns 

Before delving into the missing pieces of the attack 
puzzle, let's map out the aiready known facts about 
the Target breach as explicitly revealed by publiciy 
available reports: 

1. The initial penetration point of the attackers was 
through stolen HVAC vendor's credentials^ 

2. The attackers used the vendor's stolen credentials 
to gain access to a Target hosted web services 
for vendors. 

3. Attackers deployed the "Kaptoxa" (pronounced 
"Kar-toe-sha") malware on many Targef s POS 
machines which was used to steal credit card 
information. 

4. Stolen credit cards were periodically sent to a 
central repository within Targefs network using 
Standard Windows protocois (specifically, the 
SMB^ protocol). 

5. The stolen data was exfiltrated from the central 
repository to the attackers' controlled server via 
FTP. 

These five steps have been extensively documented 
and technically analyzed. However, a knowledge gap 
exists when it comes to the following: 

How were the attackers able to move from 
their initial point of penetration, located on 
the boundary of Target's network, to deploying 
malware in the heart of the network? 



HVAC vendor computer 

Instali malware that steals credentials 



Connect using 
stolen credentials 



nTarget's Web 
app for vendors 
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Malware Sends 40M credit 
cards via network share 



FTP-enabled PC 



Send stolen 
data via FTP 



Attacker-controlled 
FTP server 



Figure 1 Target breach mystery: 
How did the attackers get to the POS machine? 
How did they steal 70M PN on top of the 40M CCs? 



Where is the explanation for the stealing of 70M of Target's customers Plls? This chain of events only 
explains the exfiltration of 40M credit cards. 



In order to fiil the information gaps, we meticulously read the publically available reports and advisories to 
discover on top of the five aforementioned steps, six additional previously undocumented steps. These steps 
provide the necessary explanation from the initial steps of penetration to the installation of malware on the 
POS machines and the theft of 70M Plls. 



5 http://krebsonsecurity.com/2014/02/email-attack-on-vendor-set-up-breach-at-target/ 

6 http://en.wikipedia.org/wiki/Server_Message_Block 
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Methodology 

As stated above, in order to fiil the Information gaps, we meticulously read the threat advisories issued by 
the credit cards companies and security firms. Our primary sources were: 

• VISA's "Retail Merchants Targeted by Memory-Parsing Malware" report^, issued on February 2014 
Dell Secureworks' "Inside a Targeted Point-of-Sale Data Breach" report^, issued on January 2014 
iSight Partners "KAPTOXA Point-of-Sale Compromise" report^ issued on January 2014 
KerbsonSecurity blog post series on Target Data Breach^° 

"A Xill Chain' Analysis of the 2013 Target Data Breach" report^\ for the Senate Committee on Commerce, 
Science, and Transportation, issued on March 2014 



In particular, we paid special attention to the list of the tools used by the attackers disclosed in the 
aforementioned advisories. The attack-tools list appears in the appendices. 

While this work can be dismissed as merely educated guesswork and therefore may inciude some inevitable 
errors, it seems that our deductions and inference are solid and backed up with several different findings. 
In all cases we had inciuded the evidence that led us to the conciusions so readers can foliow our line of 
thought and judge for themselves. 

We hope that this report sparks the discussion about the missing links in the Target's breach story. More so, 
we hope this discussion expands outside the realms of the Target attack and to other advanced attacks - 
leading to the disclosure of more attack data and facts. We strongly believe that disclosing data about the 
attackers TTPs will benefit the security community in building stronger and more efficient defenses against 
such threats. 



■ ■■■ 
■■■■ 
■■■■ 


■ 


2 








7 http://usa.visa.conn/download/rTierchants/Bulletin-MGmory-Parser-UpdatG-012014.pdf 

8 http://krGbsonsGCurity.com/wp-contGnt/uploads/2014/01/lnsidG-a-TargGtGd-Point-of-SalG-Data-BrGach.pdf 

9 http://www.SGCuritycurrGnt.com/rGsourcGs/filGs/KAPTOXA-Point-of-SalG-CompromisG.pdf 

10 http://krGbsonsGCurity.com/tag/targGt-data-brGach/ 

11 http://docs.ismgcorp.com/filGs/GxtGrnal/TargGt_Kill_Chain_Analysis_FINAL.pdf 
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Hackers Voyage from Network's Boundaries to its Heart 

In this section we discuss in depth how the attackers were able to propagate from a web interface - 
where its server resided on the boundaries of Targef s network - to the POS machines, the very heart of 
Target's network. 

The figure above illustrates the attack campaign, where the attackers performed the following steps: 

1. Instali malware that steals credentials from the computer of Target's HVAC 
vendor. 

2. Connect using stolen credentials. The stolen credentials of the HVAC vendor 
enable access to Targefs application dedicated to vendors. 

3. Exploit a web application vulnerability on Target's Web interface of the 
application dedicated to vendors. The exploit enables the attackers to execute 
code on the Web application's server. 

4. Search relevant targets for propagation by guerying Active Directory from the 
Web application's server. Queries are performed over the LDAP protocol. 

5. Steal access token from Domain Admin. The attackers steal the token of the 
previously connected Domain Admin from the memory of the Web application's 
server. 

6. Create a new Domain Admin account using the stolen token. This new 
account is created in Active Directory. 

7. Propagate to relevant computers using the new Domain Admin 
credentials. The relevant computers were identified in step (3), and the new 
Admin account was created in step (6). 

8. Steal 70M PM. Do not find credit cards. The data is extracted from a 
PCI-compliant database, using the SQL protocol from a previously propagated 
computer. Since the database is PCI-compliant, no credit cards are stored on it. 

9. Instali malware. Steal 40M Credit Cards. The data is extracted by the 
Kaptoxa malware from the memory of the POS system. 

lO.Send stolen data via network share. Malware sends the extracted credit card 
and PN data, obtained in steps (8) and (9), to an FTP-enabled machine within 
Targefs internal network. 

11. Send stolen data via FTP to attackers-controlled FTP server. 

In the following subsections we deep dive into the details of each of these steps. We give particular 
attention to the six steps (steps 3-8) as these are additional, previously undocumented steps which 
provide the complete story of the Target attack path. 
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Step 1: Instali Malware that Steals 
Credentials 

According to publiciy available sources^^ the 
attackers infected the Targefs HVAC contractor 
with the Citadel malware through the use of a 
phishing email. The Citadel malware, is a "run-of- 
the-miir\ general purpose malware and had been 
documented to infect millions of computers in the 
past^^ Citadel is known to be able to harvest web 
applications credentials stored within the infected 
machine browser. 



Step 2: Connect Using Stolen Credentials 

The attackers used the vendor's stolen 
credentials to gain access to Target-hosted 
web Services dedicated to vendors^^ According 
to the contractor's (Fazio MechanicaI) official 
announcement^"^, the only access the HVAC 
vendor had was to some of Target's vendor 
administrative systems: "Fazio MechanicaI does not 
perform remote monitoring or control of heating, 
cooling or refrigeration systems for Target. Our 
data connection with Target was exclusively for 
electronic billing, contract submission and project 
management" 

As such, the credentials were used to access any 
one of these following services^^: 

1. The "Ariba" Web application: a billing system. 

2. The "Partners Online" Web application: Target 
project management and contract submissions 
portal. 

3. The Targefs Property Development Zone Web 
application. 



O New Step 3: Exploit a Web Application 

v Research 

^ Vulnerability 

We know that the attackers stole the HVAC's 
vendor's credentials to Target's internal web 
application, hosted on Targefs internal network. 
However, we also know that this system has a very 
specific functionality that does not allow arbitrary 
command execution which the attackers need in 
order to compromise the machine. How then were 
the attackers able to bypass this restriction? We 
sought to find out. 

As a first step, the attackers had to find a 
vulnerability within the web application. Despite 
no public Information regarding this vulnerability, 
we were able to find a ciue hinting to its source. 
Looking at the supplied attack-tools list, we found 
a file named "xmlrpc.php". This file immediately 
stands out, as all other files in the list are Windows 
executables while PHP files are used for running 
scripts within web applications. 

This file suggests that the attackers were able to 
upioad a PHP file by leveraging a vulnerability 
within the web application. The reason is that 
it is likely the web application had an upioad 
functionality meant to upioad legitimate documents 
(say, invoices). But as often happens in web 
applications , no security checks were performed 
in order to ensure that executable files are not 
upioaded. 

In order for the attackers' to disguise their 
malicious script as a popular PHP component, the 
attackers named the upioaded file as "xmlrpc. 
php"^^ The code within this bogus xmlrpc.php 
script was probably a "web shelP^", a web based 
backdoor that ailowed the attackers to upioad 
files and execute arbitrary OS (Operating System) 
commands. 



12 http://krebsonsecurity.com/2014/02/efnail- 
attack-on-vendor-set-up-breach-at-target/ 

13 http://www.eweek.conn/security/nnicrosoft-liberates- 
nnore-than-1.2-nnillion-pcs-fronn-citadel-botnet/ 

14 http://fazionnechanical.conn/Target-Breach-Statennent.pdf 



15 http://www.php.net/nnanual/en/book.xnnlrpc.php 

16 https://blogs.akannai.conn/2013/10/web- 
shells-backdoor-trojans-and-rats.htnnl 
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^ TTP 1: The methodology of "hiding in plain sighf 
and disguising malicious components as legitimate, 
repeats itself throughout the attackers' campaign. 

^ TTP 2: Attackers maintain persistence for their 
programs within breached machines by running 
their programs as server scripts or services. 

The use of an upioaded file to subvert a web 
application has been documented to be a popular 
penetration method among the attackers^^ In 
fact, the method of using an Internet-facing web 
application as a springboard for penetrating an 
organization is not confined to Target's breach. In 
the past, this method had played a pivotal role in 
other attacks^^ such as that against the security 
vendor, Bit9^^ 

O TTP 3: Attackers use upioaded files to infiltrate 
internal systems 



Q New Step 4: Search Relevant Targets for 

v Research _ 

^ Propagation 

Due to the Web vulnerability exploit, as detailed 
in the previous step, the attackers were able to 
run arbitrary OS (Operating System) commands. 
Conseguently, the attackers were able to start their 
internal reconnaissance campaign in order to gather 
intelligence on Targefs internal network and find 
the relevant targets - servers that hold credit cards 
and credit card's holders' Information. 

To glean this type of Information, the attackers' 
targeted Active Directory. Active Directory, as its 
name suggests, contains the data on all members 



of the Domain^°: users, computers and services. 

O TTP 4: Active Directory is pivotal to attackers to 
gather intelligence on the targefs infrastructure, 
users, computers and services 



To guery Active Directory there is no need for 
a speciaiized tool or special privileges. On the 
contrary - this functionality is supplied with 
internal Windows tools using the Standard LDAP 
protocol. Furthermore, any Domain user can 
guery the Active Directory. It makes sense then 
to imagine that the attackers, interested in 
identifying databases holding credit cards, simply 
retrieved all services that their Service Principal 
Name (SPN) contained the string ^^MSSQLSvc''2\ 
Further inspection of the retrieved service names 
ailowed the attackers to infer the purpose of 
each service by looking at the name of the server 
(e. g. a hypotheticai SPN string of "MSSQLSvc/ 
billingServer"). This scenario makes even more 
sense considering that the 70M Plls from Targefs 
network were probably stored within a database. 
The reason is that the attack- tools list contained 
a few SQL related tools, such as the osgl.exe, 
isgl.exe and the bcp.exe tools. These tools are 
analyzed more thoroughiy later in the document. 

Similarly, the attackers had probably applied such a 
process to find POS-related machines. 

Once the attackers had found the names of their 
targets, whether SQL servers or POS machines, 
they were able to obtain the respective IP 
addresses by guerying the DNS server, which is 
often co-Iocated on the Active Directory server. 



17 https://www.brighttalk.com/webcast/7451/110653 (slide 12) 

18 http://www.securityweek.com/hackGrs- 
target-web-apps-bridgehead-datacenter 

19 http://www.computerworld.eom/s/article/9237142/ 
Hacking_victim_Bit9_blames_SQL_injection_flaw 



20 http://en.wikipedia.org/wiki/Windows_domain 

21 https://www.netspi.com/blog/entryid/228/locate- 
and-attack-domain-sql-servers-without-scanning 
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Step 5: Steal Access Token from 
Domain Admins 

Given that the attackers had identified their 
relevant targets, they needed the proper privileges 
to accGSS them. The holy grail of access within 
a Windows network is having Domain Admin 
privileges as these are the highest available 
permissions which empower a user to access every 
Computer. Naturally, the attackers sought to get 
hold of Domain Admin privileges. 

v TTP 5: Attackers reguire Domain Admin privileges 
to smoothly propagate within the network. 



Luckily for the attackers, they did not need to 
look far. Using a well-known attack technigue, 
called Pass-the-Hash, the attackers were able to 
impersonate a valid user. How did we infer this? 

A former member of Target's security team 
admitted to cyber-investigative journalist, Brian 
Krebs, that: "Most, if not almost all, internal 
applications at Target used Active Directory (AD) 
credentials... the internal administrators would use 
their AD login to access the system from inside." 

To understand this statement, it is important to 
recognize that when a user interactively logins into 
a Computer, Windows generates a token, called an 
NT hash which resides in the computer's memory. 
This token replaces the password and ailows the 
Single-Sign-On (SSO) experience, in which the 
users are only asked for their password once. These 
tokens may remain in memory until the server is 
booted. 

Since servers are rarely booted, most chances 
are that the NT hashes of Targef s Domain Admin 
logging into the system servers were still in the 
memory of the system when the attackers broke 
in, ailowing the attackers to obtain them from 
the machine memory and gain Domain Admin 
privileges (i. e. what's called Pass-the-Hash). 



Visa's report further strengthens this assumption as 
it recommends to: 

Limit administrative privileges on users and 
applications." 

Do not use NTLM or LM hash for password 
hashing as the algorithm is known to be 
compromised and susceptible to a Pass-the- 
Hash type of attack." 

The attackers obtained these NT hashes from the 
Web server's memory using any of the following 
tools that are listed in the attack-tools list: 

• WCE: Windows Credential Editor (WCE) 
is a known penetration test tool that can 
"'SteaT NTLM credentials from memory"^^ 
Its use is indicated by the existence of the 
GETLSASRVADDR.exe23 file: 
^^GETLSASRVADDR.exe is a tool (inciuded with 
WCE) that can be used to obtain automatically 
the needed addresses for WCE to be able to 
read logon sessions and NTLM credentials from 
memory". 

Another possible indication to the attackers' use 
of WCE is the 2WCE.exe file, due to its similar 
name. 

QuarksPwDump: A tool that, according to its 
documentation, "Extracts domain accounts NT/ 
LM hashes + history"^"^. 

Elcomsoft Proactive Password Auditor: The 
toors documentation says: "If you have 
administrator rights on the machine you run 
PPA on, you can dump password hashes from 
its memory. 

Using WCE, the attackers were able to perform the 
aforementioned Pass-the-Hash attack and reuse 



22 www.ampliasGCurity.eom/rGSGarch/wcGfaq.html#whatiswce 

23 http://www.ampliasGCurity.com/rGSGarch/ 
wcGfag . html#whatislsasrvaddr 

24 https://codG.googlG.eom/p/quarkspwdump 

25 www.Glcomsoft.ru/hGlp/Gn/ppa/obtaining_password_hashGS.html 
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the token to impersonate the original owner of the 
NT hash, the Active Directory administrator. 

Interested in learning more about Pass-the-Hash? 
Read here 



Q'~N^ step 6: Create a New Domain 
\RGSGarch_ y^jj^j^ Account Using the Stolen 

Token 

Once the attackers had gained the privileges of a 
Domain Admin through the use of NT hash and 
Pass-the-Hash attack, they proceeded to create 
a new Domain Admin account. The new account 
offered the attackers the following advantages over 
the stolen hash: 

Persistency: The NT hash becomes invalid 
when the victims change their password. 

Password: some services, such as the Remote 
Desktop (RDP), do not support the SSO 
paradigm and reguire the explicit use of the 
password. With the added user, the attackers 
control the password and can use these 
Services as we will show below. 

To add a Domain Admin, the attackers were not 
reguired to instali any speciaiized tool, as this 
functionality is aiready supplied with following 
embedded Windows commands: 

net user: to add user to the Domain^^ 

net group: to add the user to the Domain 
admins group^^ 

O TTP 6: Attackers leverage existing Windows 
functionality to perform sensitive administrative 
tasks on the Domain. 



Note, that the new Domain Admin account 
is created on Active Directory, making Active 
Directory very much aware to this activity. 

As in previous steps, also here the attackers 
chose to "hide in plain sighf . The attackers did 
this by creating the username "best1_user" which 
mimics the username of BMC's Bladelogic Server 
Automation product^^, a legitimate IT application. 
However, according to BMC statement^^, this 
username's password is not the one set by 
Bladelogic. 

At a later attack stage, the attackers' malware used 
this "best1_user" account to send the credit cards 
data from the POS machine to a central repository 
within Targefs network. 

O TTP 7: Attackers create bogus accounts to 
maintain their persistency within the network. 

Based on this attack step, Visa's report 
recommends to "Periodically review systems (locai 
and domain controllers) for unknown and dormant 
users." 



New 
^ Research 



Step 7: Propagate to Relevant 
Computers Using the New Admin 
Credentials 

With both the intelligence on the relevant 
computers (obtained in step 4) and the means 
to access them with Domain Admin credentials 
(obtained in step 6), the attackers were able to 
propagate towards the relevant targets. 

At this stage, two obstacies stood in front of the 
attackers: 



26 http://support.nnicrosoft.com/kb/251394 

27 http://technet.microsoft.conn/en-us/library/bb490703.aspx 



28 ftp://ftp.bmc.com/pub/perform/resolutions/15063490.pdf 

29 http://www.bmc.com/news/press-releases/2014/BMC-Software- 
Comments-on-Speculation-Concerning-the-Target-Breach.html 



AOR ATO I Target Attack, Step by Step 



1. Bypassing firewall and other network-based 
SGCurity solutions that limit the attackers' direct 
access to their reievant targets 

2. Running remote processes on various machines 
in the chain towards their reievant targets 

Let's see how the attackers overcame each: 



Bypassing Firewall and Other Network-based 
Security Solutions 

The attackers used the "Angry iP Scanner " in 
order to identify network protection obstacies. 
The "Angry IP Scanner", appearing too within the 
attack-tools list, detects which computers are 
network accessible from the current computer. 



[o ^ [o ^ r Auloslart Activate I 
' ' (Telnet onljp) 1- 



Figure 3 The Port Forwarding utility used by the attackers to 
bypass firewall rules 

O TTP 8: Attackers bypass network-based security 
solutions, such as firewalls, by using a network 
tunnel 



|pRange:| 21 6.34.1 81.0 


to (216.34.181.255 IPRange 


: X 




Hostname: [www.sF.net 


I # IP I Netmask | ▼ ^ ||||^|^ 


M ii 




IP 


Ping 


Hostname 


Ports [3+] 


Web detect 


^216.34.181.18 


223 ms 


netops.geek.net 


80,443 


BiglP 


# 216 34.181 19 


219 ms 


ntp-1 .ch3.sourceforge.com 


[n/a] 


[n/a] 


# 216.34.181.20 


227 ms 


ntp-2.ch3.sourceforge.com 


[n/a] 


[n/a] 


% 216.34.181.21 


216 ms 


ns-1 .ch3.sourceforge.com 


[n/a] 


[n/a] 


# 216.34.181.22 


218ms 


ns-2.ch3.sourceforge.com 


[n/a] 


[n/a] 


# 216.34.181.23 


234 ms 


[n/a] 


[n/a] 


[n/a] 


#216.34.181.24 


[n/a] 


[n/s] 


[n/s] 


[n/s] 


#216.34.181.26 


[n/a] 


[n/s] 


[n/s) 


[n/s] 






|# 216.34.1 81 .28 


[n/a] 


[n/s] 


[n/s] 


[n/s] 


|# 216.34.181.35 


[n/a] 


[n/s] 


[n/s] 


[n/s] 


© 216 34.181.36 


228 ms 


tv.slashdot.org 


80,443 


Apache/2.2.3 (Cent 


l# 216.34.181.37 
€) 216,34.181.40 


[n/a] 
231 ms 


[n/s] 

s. fsdn.com 
[n/s] 

Display:AU Threads:0 


[n/s] 


[n/s] 


|# 216.34.181.41 


[n/a] 


80,443 
[n/S] 


[n/a] 
[n/s] 



Figure 2 Angry IP scanner^° 

To overcome such obstacies, the attackers had 
propagated through a series of servers (aka as a 
"tunnel") to bypass the security measures. Evidence 
of this bypassing can be found in the existence of 
the port forwarding IT tool in the attack-tools list, 
aimed to defeat such firewall rules. 



Running Remote Processes on Various l^achines 

To execute processes on the remotely targeted 
servers, the attackers used the credentials in 
conjunction with both the Microsoffs PsExec utility 
and a Remote Desktop Protocol (RDP) tool: 

• The PsExec utility, present in the attack-tools 
list, is^^:" a light-weight telnet-replacement that 
lets you execute processes on other systems, 
complete with full interactivity for console 
applications, without having to manually instali 
Client Software. PsExec's most powerful uses 
inciude launching Interactive command-prompts 
on remote systems and remote-enabling tools". 

Windows internal Remote Desktop (RDP) client 
provides full control over the remote machine 
with a GraphicaI User Interface (GUI). By using 
it, the attackers can also leverage on the GUI 
to assess whether the target is indeed valuable. 
As a resuit Visa's recommendation is to 
"Deny Remote Desktop Protocol (RDP) logons 
whenever possible." 



30 http://angryip.org/ 



31 http://tGchnGt.microsoft.com/Gn-us/sysinternals/bb897553.aspx 
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Note , that for both PsExec and RDP, the 
authentication and the authorization of the user 
on the remote machine is done against the Active 
Directory, making Active Directory very much 
aware to this activity. 

^ TTP 9: Attackers use PsExec and RDP to remotely 
execute processes on internal network's machines. 

The attackers did not stop at gaining a "one time" 
access to those systems which are dependent 
on credentials. What the attackers strived for 
was to maintain a more persistent access. The 
way they gained persistency was by using the 
"OrchestratorRunProgramService.exe" which is 
part of Microsoft's Orchestrator^^ management 
solution and appears in the attack-tools list. As 
its name suggests the purpose of this service is to 
enable the (remote) execution of other programs. 
By installing the service, the attackers once again 
achieved both a seemingly-legitimate foothold 
(i. e. "hiding in plain sight"), as well as persistency 
(as the service is automatically restarted on boot) 
which ailowed them to remotely execute arbitrary 
code on the compromised server, such as running 
the "Kaptoxa" malware. 



^) New 

^ Research 



Step 8: Steal 70M PM. Do Not Find 
Credit Cards. 



One of the mysteries we sought to find out was the 
methods used by the attackers to steal the 70M 
Plls from Target's network. Ifs time to figure it out. 

First, let's re-cap what the attackers had up until 
now. They had the intelligence on the relevant 
databases obtained in the reconnaissance stage 
(step 4). They obtained new Domain Admin 
credentials (step 6). And, using the Domain Admin 
creds, they were able to propagate to the specific 



32 http://technet.microsoft.com/en-us/library/hh237242.aspx 



Computer that enabled them to query a sensitive 
database (step 7). 

The attack-tools list provides some clues to the 
methods used to obtain the data from the database 
Server, as the list contains the following SQL 
related tools: 

1. osql.exe: Microsoft's SQL query tooP^ 

2. isql.exe: Microsoft's SQL query tooP^ 

3. bcp.exe: Microsoft's SQL bulk SQL copy tooP^ 

It makes sense that the attackers used the query 
tools (osql and isql) to retrieve a few entries in 
order to assess the value of the database. Once 
they had determined that the data was relevant to 
them, they proceeded to use the bcp.exe utility to 
retrieve all of the database contents. 

The interesting part? We can assume that 
the attackers needed to change their mode 
of operation due to Targef s PCI compliancy 
requirements. The reason is that normally all 
Information resides in the database so it makes 
sense that the attackers' first goal was to attack 
it. However, once the attackers discovered that 
the Target database was under PCI compliancy, 
the attackers had to switch to their contingency 
plan and directly attack the POS systems. To 
recall, section PCI-DSS section 3.2 states that: 
"Do not store sensitive authentication data after 
authorization (even if encrypted). If sensitive 
authentication data is received, render all data 
unrecoverable upon completion of the authorization 
process" 



33 http://msdn.microsoft.com/en-us/library/ms162806.aspx 

34 http://technet.microsoft.com/en-us/ 
Iibrary/aa214007{v=sql.80).aspx 

35 http://msdn.microsoft.com/en-us/library/ms162802.aspx 
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Data Element 


Stoiage 


Render Stored Data Unreadalile per 
Requirement 3.4 






Primary Account Number (PAN) 


Yes 


Yes 




Cardh^dw 


Cardholder Name 


Yes 


No 


1 




Service Code 


Yes 


No 






Expiration Oate 


Yes 


No 


i 


Sensitive 


Full Track Data' 


No 


Cannot store per Reguirement 3.2 






CAV2/CVC2/CW2/CID* 


No 


Cannot store per Reguirement 3.2 




Data' 


PIN/PIN Block* 


No 


Cannot store per Requlrement 3.2 



Figure 4 Track data should not be stored according to PCI-DSS 

Therefore, it seems that although being PCI 
complaint did not stop Target from being breached, 
it did: 

1. Protect the credit cards details of BOM of 
Target customers, as the database contained 
70M records compared to only 40M records 
extracted from POS systems. This is more than 
40% reduction of the incident's repercussions. 

2. Buy some precious time for the defensive 
side to regroup and defeat the attackers 
before a single credit card had been stolen. 
Unfortunately, this time was not properly used 
as Target remained unaware to the attack. 

Step 9: Instali Malware. Steal 40M Credit 
Cards 

Once the attackers found out that they were 
not able to extract the credit card details from 
the database they switched to their contingency 
plan and installed the Kaptoxa malware on all of 
the POS machines, using the same propagation 
methods that were discussed in Step 7. 

The malware scanned the memory of the POS 
machine and when identifying a credit card, it 
saved it to a locai file. 

Also in this step the attackers used the Windows 
Services functionality as a method to gain 



persistency. To "hide in plain sight" they named 
the new Windows Service as "POSWDS", which 
seems to be legitimate at a first glance. 

Step 10: Send Stolen Data via Network Share 

To exfiltrate the credit card data obtained by the 
malware, the malware had created a remote file 
share on a remote, FTP-enabled machine by using 
Windows internal "net use" command and the 
Domain Admin credentials. 

The malware then periodically copied its locai file, 
containing credit card details to the remote share. 

O TTP 10: Attackers use Standard IT procedures and 
protocois (such as utilizing a network share), where 
possible, to perform their attacks. 

Note that both the authorizing of a remote share 
creation and copying files to it is done against 
Active Directory, making Active Directory very 
much aware of this activity. 

Step 11: Send Stolen Data via FTP 

Once the data, either credit cards or the content of 
the database, arrived to the FTP-enabled machine, 
a script on the machine (installed in the very 
same way as the malware, through the use of the 
technigues described in step 7) sent the file to 
attackers' controlled FTP account, using Windows 
internal FTP client. 
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Target's Attackers Tactics, Technigues and Procedures 

Generally speaking, the Target attackers largely followed the general APT "kill chain" 
attack model. However, the Target attack presents unigue nuances to the model. 
These nuances stem from the fact that operations aiming to steal credit cards are 
Inherently different from ciassic APT operations aimed at Intelligence gathering and 
Infrastructure sabotage. 

The main difference is that credit card-oriented attacks are bound to be revealed in a 
relatively short time as the monetization path of the attackers must inciude massive 
usage of the stolen credit cards that will get detected by the credit cards vendor's 
fraud departments. 

Conseguently, attackers in credit card-oriented attacks do not invest in the 
infrastructure and automation aspects of the attack. Specifically: 

Ali the exploratory steps of the campaign are highiy manual, using command line 
tools and UI applications. The only automation seen in the attack process was the 
ongoing routine part of the Kaptoxa malware, used to continuously steal credit 
cards data from POS and send it over to 
the attackers' servers. In fact, had the 
attackers been able to extract the credit 
cards details from the first database, the 
breach would not have had any automated 
aspect at all! 

Judging from the available Information, 
the attackers did not create the Command 
and Control (often named C&C/C2/CnC) 
channel infrastructure often associated with 
APT attacks. Rather, the attackers manually 
controlled the operation from within the 
network. 

The attackers mainly used "normal" IT 
tools. Malware was used only when no 
relevant IT tool existed: e. g. for scraping the memory of a POS process 

Rather than trying to keep invisible, e. g. by using root kits, attackers "hide in 
plain sight". Hiding in plain sight had provided "good enough" camouflage for this 
limited-in-time operation. Notable examples of this technigue: 

Using some general purpose, legitimate tools, such as Microsoft Orchestrator 
for nefarious purposes. 

Disguising the attackers by adding bogus accounts considered to be legitimate 
accounts of IT systems 

Masking malware files by naming them as legitimate files 
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"Credit card-oriented attacks 
are bound to be revealed 
in a relatively short time as 
the monetization path of the 



attackers must inciude massive usage of the 
stolen credit cards that will get detected by 
the credit cards vendor's fraud departments. 
Conseguently, attackers in credit card-oriented 
attacks do not invest in the infrastructure and 
automation aspects of the attack." 
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As mentioned, the Target attackers also adopted general attack practices typically used 
in various APT campaigns. Although these following insights were gleaned from the 
Target attack, these TTPs can not only help the retail industry, but are also relevant to 
any industry facing the threat of advanced targeted attacks such as finance, hospitality, 
hi-tech, manufacturing, pharmaceuticaL mining, etc: 

Attackers' main method of penetration and propagatlon into the victim's network is 
by using stolen credentials - and not by exploiting vulnerabilities. 

Initial compromise wlth stolen credentials to a remotely accessible system 
within the internal network 

"Pass-the-Hash" attack to obtain Domain Admin privileges and create a new 
Domain Admin account 

Using the Domain Admin credentials 

• Attackers use a staged approach to propagatlon. At first, they obtain a foothold 
within the new target through a manual connection (e. g RDP) to assess its value. If 
found valuable, they upgrade their grip to a persistent one, by: 

• Adding a service to the target system 

Adding a backdoor (web server's xmlrpc.php) 
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Security Recommendations 

Recommendations to Industries Prone to Advanced Targeted Attacks 

We recommend that potential targets of advanced targeted attacks should foliow the best practices 
listed here to protect themselves against such a cyber-attack: 

Harden access controis 

Monitor and profile access patterns to systems to identify abnormal and rogue access patterns. 

• Where possible, use Multi Factor Authentication (MFA) to sensitive systems to reduce risks 
associated with credentials stealing. Note, that MFA does not necessarily eliminate all risks 
associated with credentials stealing^^ 

Segregate networks, limit ailowed protocois usage and limit users' excessive privileges. Note that 
network segregation will slow down attackers but will not eliminate the threat altogether. 

Monitor users' lists for the addition of new users, especially privileged ones. 

Monitor for signs of reconnaissance and Information gathering. Pay special attention to excessive 
and abnormal LDAP gueries. 

For sensitive, single purpose servers, consider the whitelisting of ailowed programs. 

Don't rely on Anti-Malware solutions as a primary mitigation measure since attackers mostiy 
leverage legitimate IT tools. 

Place security and monitoring controis around Active Directory as it is involved in nearly all stages of 
the attack. 

Participate in Information Sharing and Analysis Center (I5AC) and Cyber Intelligence Sharing Center 
(CISC) groups to gain valuable intelligence on attackers' Tactics, Technigues and Procedures (TTPs) 

Recommendations to Retailers Storing Credit Card Information 

Additional and specific recommendation for retailers, restaurants, hoteis and other enterprises which 
need to protect themselves from the mass theft of credit cards should foliow these set of best practices: 

Invest in PCI-compliance. 

Consider the whitelisting of ailowed programs for POS systems. 

Don't rely on outbound communication monitoring for C&C channels as a primary mitigation 
measure since attackers do not use traditional command and control (C&C) channels. 

Participate in Retail Information Sharing and Analysis Center (R-ISAC) and Retail Cyber Intelligence 
Sharing Center (R-CISC) groups to gain valuable intelligence on retail attackers' Tactics, Technigues 
and Procedures (TTPs) 



36 http://www.aorato.com/blog/windows-smart-card-logon-good-bad-ugly/ 
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Appendix A: VISA's Attack-Tools List 

See: http://usa.visaxom/download/merchants/Bulletin-Memory-Parser-Update-01 2014.pdf 



Filename 


MD5 Hash Value 


svchosts.exe 


Ce0296e2d77ec3bb112e270fc260f274 


svchosts.exe 


Ce0296e2d77ec3bb112e270fc260f274 


svchosts.exe 


f7c20a277929c4cb70999aff1b03388e 


2wce.exe 


93405c57e915680f0182650fb75c47ee 


DUMPSEC.exe 


65dd8d2d9604d43aOebd105024f09264 


ftprmt.exe 


abb234773bOad268f9a554c7ee597489 


ftprt.exe 


4352e635046aa624dff59084d5619e82 


getlsasrvaddr.exe 


Ob33b4d61ea345f16c4a34b33e9276bc 


ips.exe 


6c1bcfOb1297689c8c4c12cc70996a75 


isatapx64.zip 


453810a77057d30fOee7014978cdc404 


local.exe 


08644155f5c8f94fOcc23942c5c5068f 


lstr.exe 


623e4626d269324da62c0552289ae61f 


lstsrall.exe 


290c26433aOd9d14f1252e46b1204643 


mmon.exe 


db0450080be21ded08df8c897eb3bd9e 


mtmp.exe 


e2db09553f23a8abc85633f6bf1aOb49 


netc.exe 


322e136cb50db03eOd63eb2071da1ba7 


netc.exe 


322e136cb50db03eOd63eb2071da1ba7 


notcp.exe 


a35e944762f82aae556da453dcba20d1 


osql.exe 


4b9b36800db395d8a95f331c4608e947 


osgl.rll 


df5dbcbcac6e6d12329f1bc8a5c4cOe9 


pmap.exe 


814b88ca4ef695fea3faf11912a1c807 


portfwd.exe 


d975fc6cda111c9eb560254d5eedbeOa 


psexec.exe 


aeee996fd3484f28e5cd85fe26b6bdcd 


quark.zip 


2cd8dddaf1a821eeff45649053672281 


svchosts.exe 


2cd8dddaf1a821eeff45649053672281 


xmlrpc.php 


C583bdcec14c6651cfd8a2a95736799d 


query.exe 


a109c617ecc92c27e9dab972c8964cb4 


release.exe 


f45f8df2f476910ee8502851f84d1a6e 


svchosts.exe 


1d2f0491678fbc6858fff2a5d61d3003 


wmiislog.exe 


e2db09553f23a8abc85633f6bf1aOb49 


svchosts.exe 


C0c9c5e1f5a9c7a3a5043ad9c0afa5fd 


bcp.exe 


3f00dd56b1dc9d9910a554023e868dac 


osql.exe 


02137a937f6fbc66dbc59ab73f7b1d3e 


psexec.exe 


aeee996fd3484f28e5cd85fe26b6bdcd 


bladelogic.exe 


433a2750429d805907aa4848ff666163 


Systern32.exe 


b9cf8e70681755c1711c38944695eeaa 


Svcsec.exe 


25f7b169b43c4d5db472afbOee09b035 


oposvc.exe 


dd90c44afa5da730b8cb979667ae8fd3 


svchosts.exe 


0561344c4e4460077fdc79a4679508ed 
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Appendix B: Dell Secureworks Attack-Tools List 

See http://krebsonsecurityxom/wp-content/uploads/2014/01/lnside-a-Targeted-Point-of-Sale-Data-Breach.pd 



Name 


Description 


QueryExpress.exe 


Portable SQL client for Microsoft SOL (MSSOU 




Server and Oracle databases 


psexec.exe 


Microsoft Sysinternals PsExec tool for running 




processes on remote systems 


ppa_setup_en.msi 


Elcomsoft Proactive Password Auditor password 




cracking tool 


portforward.exe 


Network port forwarding tool 


osql.dll 


MSSQL guery tool resource DLL 


osql.exe 


MSSQL guery tool 


lsql.exe 


MSSQL guery tool 


OrchestratorRunProgramService.exe 


Microsoft System Center 2012 SP1 Orchestrator 


netcat.exe 


Netcat network utility for reading and writing 




data across the network 


ipscan.exe 


Angry IP network scanner 


dumpsec.exe 


Somarsoft DumpSec. Dumps Access Control List 




(ACL) information for files, registry, and network 




shares 


bcp.exe 


MSSOL bulk SOL copy tool 
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Aorato protects organizations from advanced attacks. Recognizing Active Directory's pivotal role in the network, Aorato's 
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Directory. By profiling the entities, DAF"^^ builds an interaction graph between all entities in order to detect in real-time 
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Partners, and the founders of Imperva and Trusteer. 
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